ConfigServer Security & Firewall (CSF) is a stateful packet inspection (SPI) firewall with login/intrusion detection capabilities for Linux VPS Hosting running CentOS, Ubuntu, and other Unix operating systems. Simply put, CSF simplifies the proactive and reactive processes related to Linux cybersecurity.
What is CSF?
Managing firewall settings with iptables commands can get complicated. Also, the active rules for iptables are not persistent. This makes it easy to understand why there are several iptables managers, or wrappers, available including UncomplicatedFirewall (UFW) and Firewalld. So if CSF is not unique in providing basic iptables rule management, why use it? What helps set it apart from similar applications are its additional built-in features:
- The ability to perform a basic server security settings checks
- Login Failure Daemon (LFD) to prevent brute-force login attempts
- Monitor and search important system log files directly in WebHost Manager (WHM) on cPanel servers
- View currently listening ports and what processes are listening on them
- Preset configurations, called profiles, to easily switch security settings for different use cases (development, panic mode, etc.)
- And lots more…
Our cPanel-managed VPS and dedicated server hosting plans start with Advanced Policy Firewall (APF) installed. However, CSF is more advanced and includes a long list of features in WHM. APF must be uninstalled before you install CSF.
Uninstall APF from your InMotion cPanel Server
InMotion Hosting cPanel server administrators must remove APF before you install CSF.
Stop and Disable the APF Service
- Log into your server via SSH as the root user.
- Stop the APF service:
systemctl stop apf
- Remove symbolic links from chkconfig management:
chkconfig --del apf
- Remove remaining APF files:
rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}
Next, remove Add IP to Firewall from WHM.
- Uninstall the APF and WHM firewall YUM packages:
yum -y remove apf-ded whm-addip
- Remove remaining WHM configuration files:
rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi
- Open the pluginscache.yaml file with a file editor (e.g. Nano, VIM, Emacs):
nano /var/cpanel/pluginscache.yaml
- If you see something similar to the following, remove all the lines except for the uniquekey one.
–
acllist:
– create-acct
cgi: addon_add2apf.cgi
icon: ”
showname: Add IP to Firewall
tagname: ”
target: mainFrame
uniquekey: add_ip_to_firewall - Save changes. In Nano, type Ctrl + X on your keyboard to save and exit Nano.
Install CSF
- SSH into your server.
- Install CSF from the YUM repository:
yum install -y csf-ded
- Start the CSF service with Systemd:
systemctl start csf
- Update the CSF WHM plugin.
The quickest method is to use this Perl command:curl -sL https://download.configserver.com/csupdate | perl
If you want to be thorough, you can use the manual method instead.wget https://download.configserver.com/csupdate
yum install dos2unix
predos2unix csupdate
chmod +x csupdate
./csupdate
Turn on Brute force monitoring for a head start in hardening your system.
- Log into your VPS via SSH.
- This sed one-liner adds brute force monitoring to your CSF configuration file:
sed ‘s/\(LF_\(PERMBLOCK\|SSHD\|FTPD\|SMTPAUTH\|POP3D\|IMAPD\|CPANEL\) *= *”\)[^”]\+/\11/;s/\(LF_TRIGGER *= *”\)[^”]\+/\13/’ -i /etc/csf/csf.conf
Steps when using Custom Nameservers
If you are using custom nameservers, you must complete the following section to allow incoming UDP connections.
- While still in SSH, edit your primary CSF configuration file:
nano /etc/csf/csf.conf
- Find the UDP_IN line and add
53
for port 53 (DNS). The result should read:UDP_IN = “20,21,53”
. - Ensure the TCP_IN line also includes
53
. It should look similar to:
TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000”
. There may need more or less ports whitelisted depending on software and server hardening requirements. - Save changes. In Nano, type Ctrl + X to save and exit Nano.
Provide Reseller Rights for cPanel Users
By default, only the root user has rights to edit firewall rules. If you want to allow reseller cPanel users to edit the CSF rules, follow this section.
- Edit the CSF resellers file:
nano /etc/csf/csf.conf
- Add the following line, but replace “userna5” with the actual cPanel username:
userna5:0:USE,ALLOW,DENY,UNBLOCK
- Save changes. In Nano, type Ctrl + X to save and exit Nano.
- Restart CSF:
systemctl restart csf
- Login to WHM as the root user.
- Select Edit Reseller Nameservers and Privileges.
- Choose the cPanel user you want to grant CSF privileges to, then click Submit. If there’s only one cPanel user on the server, you’ll already automatically be redirected to its privileges page.
- Check the box for ConfigServer Security & Firewall (Reseller UI).
- At the bottom, select Save all Settings.
After installing CSF, check your preset profiles or audit your open ports.
In the section with the text “Turn on Brute force monitoring for a head start in hardening your system” the command in step 2 may fail if you do a copy/paste or use the copy function built into the code snippet. It is using fancy/curly single quotes and double quotes. They need to be replaced with straight quotes and then the command will succeed.
Thanks for sharing your knowledge John, we’ll review this article and update it based on your suggestions.